You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by Alok Lal <al...@hortonworks.com> on 2015/06/10 02:54:18 UTC

Review Request 35276: RANGER-533: Hbase plugin: if user does not have family-level access to any family in a table then user may be incorrectly denied access done at table/family level during get or scan. Scan/get done at column level is working correctly, so are other operations like put and delete.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/35276/
-----------------------------------------------------------

Review request for ranger and Madhan Neethiraj.


Repository: ranger


Description
-------

- Changed code for filter and authorizer.
- Added misc logging to some classes for ease of debugging.
- Log column level audit even when family level access is available.


Diffs
-----

  agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java cea3e05 
  hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java e0b652e 
  hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseAuditHandler.java bbff6df 
  hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseAuditHandlerImpl.java e383614 
  hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java abf8a33 
  hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationFilter.java ae61a1e 
  hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/RangerAuthorizationFilterTest.java 4b49721 

Diff: https://reviews.apache.org/r/35276/diff/


Testing
-------

Testing scenario laid out in the apache JIRA.


Thanks,

Alok Lal

Re: Review Request 35276: RANGER-533: Hbase plugin: if user does not have family-level access to any family in a table then user may be incorrectly denied access done at table/family level during get or scan. Scan/get done at column level is working correctly, so are other operations like put and delete.

Posted by Madhan Neethiraj <ma...@apache.org>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/35276/#review87352
-----------------------------------------------------------



hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
<https://reviews.apache.org/r/35276/#comment139686>

    is ANY_ACCESS check necessary? Can the column family be simply marked as 'indeterminate', and have the authorization done at the filter?



hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
<https://reviews.apache.org/r/35276/#comment139688>

    When columns are specified for the family, session.isAuthorized() here would the the value of the last column for which authorization was done - line #437. If yes, this code looks incorrect. Please review.


- Madhan Neethiraj


On June 10, 2015, 12:54 a.m., Alok Lal wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/35276/
> -----------------------------------------------------------
> 
> (Updated June 10, 2015, 12:54 a.m.)
> 
> 
> Review request for ranger and Madhan Neethiraj.
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> - Changed code for filter and authorizer.
> - Added misc logging to some classes for ease of debugging.
> - Log column level audit even when family level access is available.
> 
> 
> Diffs
> -----
> 
>   agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java cea3e05 
>   hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java e0b652e 
>   hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseAuditHandler.java bbff6df 
>   hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseAuditHandlerImpl.java e383614 
>   hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java abf8a33 
>   hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationFilter.java ae61a1e 
>   hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/RangerAuthorizationFilterTest.java 4b49721 
> 
> Diff: https://reviews.apache.org/r/35276/diff/
> 
> 
> Testing
> -------
> 
> Testing scenario laid out in the apache JIRA.
> 
> 
> Thanks,
> 
> Alok Lal
> 
>

Re: Review Request 35276: RANGER-533: Hbase plugin: if user does not have family-level access to any family in a table then user may be incorrectly denied access done at table/family level during get or scan. Scan/get done at column level is working correctly, so are other operations like put and delete.

Posted by Madhan Neethiraj <ma...@apache.org>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/35276/#review87372
-----------------------------------------------------------

Ship it!


Ship It!

- Madhan Neethiraj


On June 10, 2015, 6:35 a.m., Alok Lal wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/35276/
> -----------------------------------------------------------
> 
> (Updated June 10, 2015, 6:35 a.m.)
> 
> 
> Review request for ranger and Madhan Neethiraj.
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> - Changed code for filter and authorizer.
> - Added misc logging to some classes for ease of debugging.
> - Log column level audit even when family level access is available.
> 
> 
> Diffs
> -----
> 
>   hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java abf8a33 
> 
> Diff: https://reviews.apache.org/r/35276/diff/
> 
> 
> Testing
> -------
> 
> Testing scenario laid out in the apache JIRA.
> 
> 
> Thanks,
> 
> Alok Lal
> 
>

Re: Review Request 35276: RANGER-533: Hbase plugin: if user does not have family-level access to any family in a table then user may be incorrectly denied access done at table/family level during get or scan. Scan/get done at column level is working correctly, so are other operations like put and delete.

Posted by Alok Lal <al...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/35276/
-----------------------------------------------------------

(Updated June 9, 2015, 11:35 p.m.)


Review request for ranger and Madhan Neethiraj.


Changes
-------

Fixed rework comments and bugs in audit handling.
- hbase acl tests pasded
- Still rerunning xa hbase tests


Repository: ranger


Description
-------

- Changed code for filter and authorizer.
- Added misc logging to some classes for ease of debugging.
- Log column level audit even when family level access is available.


Diffs (updated)
-----

  hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java abf8a33 

Diff: https://reviews.apache.org/r/35276/diff/


Testing
-------

Testing scenario laid out in the apache JIRA.


Thanks,

Alok Lal

Re: Review Request 35276: RANGER-533: Hbase plugin: if user does not have family-level access to any family in a table then user may be incorrectly denied access done at table/family level during get or scan. Scan/get done at column level is working correctly, so are other operations like put and delete.

Posted by Madhan Neethiraj <ma...@apache.org>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/35276/#review87363
-----------------------------------------------------------



hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
<https://reviews.apache.org/r/35276/#comment139702>

    How doe the filter created here returned to HBase? i.e. how does this filter get applied??


- Madhan Neethiraj


On June 10, 2015, 12:54 a.m., Alok Lal wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/35276/
> -----------------------------------------------------------
> 
> (Updated June 10, 2015, 12:54 a.m.)
> 
> 
> Review request for ranger and Madhan Neethiraj.
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> - Changed code for filter and authorizer.
> - Added misc logging to some classes for ease of debugging.
> - Log column level audit even when family level access is available.
> 
> 
> Diffs
> -----
> 
>   agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java cea3e05 
>   hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java e0b652e 
>   hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseAuditHandler.java bbff6df 
>   hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseAuditHandlerImpl.java e383614 
>   hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java abf8a33 
>   hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationFilter.java ae61a1e 
>   hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/RangerAuthorizationFilterTest.java 4b49721 
> 
> Diff: https://reviews.apache.org/r/35276/diff/
> 
> 
> Testing
> -------
> 
> Testing scenario laid out in the apache JIRA.
> 
> 
> Thanks,
> 
> Alok Lal
> 
>